Reducing MTTR with Generative AI: From 29 Minutes to Under 9 banner image
Blog

Reducing MTTR with Generative AI: From 29 Minutes to Under 9

By Martin Riley 31 March 2026 3 min read
The threat landscape has accelerated. Research shows that data exfiltration now begins within three days of initial access on average, with as little as 2.7 hours between exfiltration starting and detection. Sophisticated threat actors like Scattered Spider have demonstrated the ability to achieve their objectives within five minutes of initial login. In this environment, mean time to respond is not just a metric; it is a measure of whether your security operations can keep pace with adversaries.

The SLA Challenge

Many organisations contractually seek 15 or 30 minute service level agreements for mean time to acknowledge, with similar expectations for escalation. These SLAs reflect the understanding that speed matters, but traditional security operations often struggle to meet them consistently, particularly for complex investigation types.

The challenge is not analyst capability but workflow efficiency. A skilled analyst investigating an account compromise might spend the majority of their time gathering evidence rather than analysing it. Pulling authentication logs, checking mailbox rules, reviewing group memberships, correlating with threat intelligence: these steps are necessary but time-consuming. Reducing MTTR requires addressing this evidence gathering bottleneck.

The Agentic Difference

Moving from traditional SOAR-based automation to agentic AI investigation workflows has delivered measurable results in reducing MTTR. For account compromise investigations following phishing emails, we have reduced mean time to respond from 29 minutes to under 9 minutes, with equal or greater accuracy than tier one and two analysts.

The difference is in how the work gets done. Traditional automation executes predefined playbooks sequentially. If step three depends on the output of step two, you wait. Agentic AI can parallelise evidence gathering, adapting its approach based on what it finds. It gathers context from multiple sources simultaneously, correlates findings as they arrive, and presents a complete picture to the analyst ready for decision.

The analyst receives not just raw data but a structured assessment with confidence scoring, relevant threat intelligence, and recommended next steps. The human time spent shifts from evidence gathering to validation and decision-making. This is where reducing MTTR delivers genuine value: not by cutting corners but by eliminating inefficiency.

The Variables That Matter

It is important to be clear that reducing MTTR through AI is not automatic. Results vary based on customer maturity, data availability, and appetite for automation. Organisations with well-instrumented environments and clean data see faster improvements. Those with gaps in logging or inconsistent data quality need foundational work before AI can deliver its full potential.

Risk appetite also matters. Some organisations are comfortable with AI handling more of the investigation autonomously. Others prefer tighter human oversight at each stage. Both approaches can achieve significant improvements in reducing MTTR, but the specific numbers will differ. The 29 to under 9 minute improvement reflects customers who have embraced orchestration and AI capabilities fully.

For organisations at earlier stages of their journey, an average MTTR of under 15 minutes is an achievable target with the right partnership and approach. This still represents a significant reduction in risk compared to typical industry benchmarks.

Speed Without Sacrificing Accuracy

Reducing MTTR is only valuable if accuracy is maintained. Faster wrong answers are worse than slower right ones. The agentic approach succeeds because it accelerates the right parts of the process while preserving human judgment where it matters.

Evidence gathering is deterministic and thorough. The AI does not skip steps to save time; it executes them in parallel to save time. Analysis is comprehensive, considering multiple hypotheses and weighing evidence systematically. Confidence scores are calibrated against historical outcomes, so analysts know when to trust AI recommendations and when to investigate further.

The human analyst validates findings before containment actions are taken. This validation step adds minimal time but provides the quality assurance that prevents costly errors. Reducing MTTR through AI is about working smarter, not cutting corners.

The Strategic Implication

For CNI operators, reducing MTTR is directly tied to risk reduction. Every minute saved in response is a minute less for an attacker to achieve their objectives. In environments where the consequences extend to physical safety and essential services, this is not an abstract improvement.

The organisations seeing the best results are those partnering with providers who have invested in agentic capabilities and proven them in operational environments. Reducing MTTR at this scale requires more than tools; it requires the workflows, integrations, and expertise to apply AI effectively to security operations.

Speed matters. AI makes speed achievable without sacrificing the accuracy that critical infrastructure demands.

To discuss how AI can help reduce MTTR in your security operations, contact us.

Security Operations Centre
All Blogs
Martin Riley HEADSHOT

Martin Riley

Chief Technology Officer

Martin Riley is the Director of Manager Security Services and a Board Director at Bridewell, w...
About the Author

Topics

Artificial Intelligence (AI) Security Operations Centre

Related Services

All Blogs